Russian Hacker Gets a Taste of His Own Malware

After a persistent series of attacks on its government computers by a Russian hacker, the Republic of Georgia got mad and refused to take it anymore.

The alleged hacker, caught on webcam.Source: Georgian CERT team report

In a reversal of roles, members of the country's Computer Emergency Response Team (CERT) suckered the cybermiscreant into downloading a file infected with his own spyware that allowed CERT to photograph the alleged hacker with his computer's webcam and ransack its hard drive for files.

The Georgian CERT team discovered the hacker's activity in March 2011. He was planting advanced malicious software on computers in Georgia and elsewhere that collected sensitive, confidential information about Georgian and American security documents, the team said.

"After investigating attackers' servers and malicious files, we have linked this cyberattack to Russian official security agencies," Georgian CERT reported.

Targeted Attacks

In the course of his espionage campaign, the report notes, the suspected Russian cyberspy infected 390 computers -- 70 percent of them in Georgia, 5 percent in the United States and another 10 percent in Canada, Ukraine, France, China, Germany and Russia.

Organizations targeted in Georgia included government ministries, its parliament, critical information infrastructures, banks and non-governmental organizations, the report says.

The attacks were highly targeted. For example, Web pages at Georgian news websites were infected based on content. Stories about NATO and Georgia, meetings and agreements between the United States and Georgia and Georgian military news were popular targets of the hacker.

The infected pages transferred malicious software to the computers of anyone who visited them, according to the report. When executed, the malware took control of an infected computer, searched documents it held for sensitive words, and captured video and audio from any computer that had a built-in camera and microphone.

Russian Secret Service Connection

The attacker had connections to the notorious
Russian Business Network, a well-known perpetrator of nefarious activities on the Web, as well as to the Russian Ministry of Internal Affairs, which includes the Federal Security Service (FSB), formerly the KGB, CERT alleged.

This site used by the hacker to control computers infected in Georgia belongs to the Russian Business Network, the CERT report asserts. A link to the network was also found embedded in the malware code used by the hacker.

In addition, the domain used by the hacker to send infected emails to Georgian targets during the phishing phase of his campaign was registered to someone with an address in the department of logistics at the Russian Ministry of Internal Affairs, the report says. Prior to launching a military campaign against Georgia in 2008, the Russians subjected the country to a cyberattack.

The phishing phase of the spy campaign began after Georgian CERT blocked the connections to the servers receiving documents stolen by the hacker's spyware and cleaned up computers it had infected, according to a report by the IDG News Service.

Obscure File Evades Detection

The infected attachments in those phishing messages, IDG reported, were in a file format, XDP, that didn't raise red flags in antivirus scanners. XDP -- XML Data Package -- allows PDF files to be represented as XML. An XDP file can be opened in Adobe Reader and viewed as if it were a PDF file.

"It's a clever idea," Sophos Security Advisor Chet Wisniewski told TechNewsWorld. "It's a really obscure format. It's not used commonly, which means it's unlikely that an administrator would explicitly block it from an email."

"What the bad guys try to do is find and use features which aren't yet supported by the anti-malware PDF scanners," he told TechNewsWorld.

Antivirus Free Pass

Ironically, if the hacker had embedded his malware in a PDF file, most antivirus programs would have likely identified the attachment as malicious, because PDF files are often used to deliver malware, and antivirus programs are conditioned to treat them with suspicion, Wisniewski explained.

"Because XDP is still read and interpreted by Adobe Reader," he continued, "if there's a vulnerability in Adobe Reader that you might exploit in a PDF you can put that same exploit code into a XDP file, but an antivirus scanner would most likely not know what it was, and pass it through."

XDP has been linked in the past to targeted attacks, like those in Georgia. In his analysis of the format in June, security researcher Brandon Dixon discovered a number of infected attachments that appeared to be focused on sensitive government targets. The attachments had filenames like "military planning.xdp "and "secret service training.xdp."

"These were never disseminated through crimeware," he told TechNewsWorld. "It appeared to be targeted malware."

"It was someone trying to compromise a specific target, as opposed to a larger audience, such as your typical computer user," he added.